Add sections for removing OpenSearch Dashboards Security plugin (#5830)

* Add sections for removing Dashboards Security plugin in other installation types Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update _security/configuration/disable.md Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update _security/configuration/disable.md Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update disable.md Making the changes suggested by reviewer to move the paragraph relating to Dashboards removal down to the Remove OpenSearch Dashboards plugin section. Also, changing the headings within that section from 'Binary' to 'Tarball', and from 'Service' to 'RPM and Debian' to reflect the wording used for those types in the OpenSearch Installation sections. Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update _security/configuration/disable.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update _security/configuration/disable.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update _security/configuration/disable.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update _security/configuration/disable.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update _security/configuration/disable.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update _security/configuration/disable.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update disable.md Clarify the location of the running OpenSearch Dashboards instance before stopping it with the Ctrl + C command. Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update disable.md Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Update the HMAC authentication requirements of exchange_key Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update disable.md Quick fix on couple of typos of opensearch_dashboards.yml Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: John Heraghty <148883955+john-eliatra@users.noreply.github.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Nathan Bower <nbower@amazon.com>
2023-12-20 18:26:50 +00:00 · 2023-12-20 18:26:50 +00:00 · ef7cacedec
parent b0f79935e7
commit ef7cacedec
2 changed files with 71 additions and 14 deletions
--- a/_security/authentication-backends/saml.md
+++ b/_security/authentication-backends/saml.md
@ -224,7 +224,7 @@ SAML, unlike other protocols, is not meant to be used for exchanging user creden

 Name | Description
 :--- | :---
-`exchange_key` | The key to sign the token. The algorithm is HMAC256, so it should have at least 32 characters.
+`exchange_key` | The key to sign the token. The algorithm is HMAC-SHA512, so it should have at least 64 characters, and base64 URL encoding.


 ## TLS settings
--- a/_security/configuration/disable.md
+++ b/_security/configuration/disable.md
@ -9,16 +9,25 @@ redirect_from:

 # Disabling security

-You might want to temporarily disable the Security plugin to make testing or internal usage more straightforward. To disable the plugin, add the following line in `opensearch.yml`:
+You might want to temporarily disable the Security plugin to make testing or internal usage more straightforward. The Security plugin is actually two plugins: one for OpenSearch and one for OpenSearch Dashboards. You can use the OpenSearch plugin independently, but the OpenSearch Dashboards plugin requires a secured OpenSearch cluster. 
+
+To disable the OpenSearch Security plugin, add the following line in `opensearch.yml`:

 ```yml
 plugins.security.disabled: true
 ```

+
+## Removing the OpenSearch plugin
+
 A more permanent option is to remove the Security plugin entirely:

 1. Delete the `plugins/opensearch-security` folder on all nodes.
 1. Delete all `plugins.security.*` configuration entries from `opensearch.yml`.
+1. Uninstall the Security plugin by using the following command:
+```bash
+/usr/share/opensearch/opensearch-plugin remove opensearch-security
+```

 To perform these steps on the Docker image, see [Working with plugins]({{site.url}}{{site.baseurl}}/opensearch/install/docker#working-with-plugins).

@ -26,24 +35,15 @@ Disabling or removing the plugin exposes the configuration index for the Securit
 {: .warning }


-## Remove OpenSearch Dashboards plugin
-
-The Security plugin is actually two plugins: one for OpenSearch and one for OpenSearch Dashboards. You can use the OpenSearch plugin independently, but the OpenSearch Dashboards plugin depends on a secured OpenSearch cluster.
+## Removing the OpenSearch Dashboards plugin

 If you disable the Security plugin in `opensearch.yml` (or delete the plugin entirely) and still want to use OpenSearch Dashboards, you must remove the corresponding OpenSearch Dashboards plugin. For more information, see [OpenSearch Dashboards remove plugins]({{site.url}}{{site.baseurl}}/install-and-configure/install-dashboards/plugins/#remove-plugins).

+Refer to the following installation types to remove the OpenSearch Dashboards plugin.

 ### Docker

-1. Create a new `Dockerfile`:
-
-   ```
-   FROM opensearchproject/opensearch-dashboards:{{site.opensearch_dashboards_version}}
-   RUN /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards
-   COPY --chown=opensearch-dashboards:opensearch-dashboards opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/
-   ```
-
-   In this case, `opensearch_dashboards.yml` is a "vanilla" version of the file with no entries for the Security plugin. It might look like this:
+1. Remove all Security plugin configuration settings from `opensearch_dashboards.yml` or place the example file in the same folder as the `Dockerfile`:

   ```yml
   ---
@ -52,6 +52,13 @@ If you disable the Security plugin in `opensearch.yml` (or delete the plugin ent
   opensearch.hosts: http://localhost:9200
   ```

+1. Create a new `Dockerfile`:
+
+   ```
+   FROM opensearchproject/opensearch-dashboards:{{site.opensearch_dashboards_version}}
+   RUN /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards
+   COPY --chown=opensearch-dashboards:opensearch-dashboards opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/
+   ```

 1. To build the new Docker image, run the following command:

@ -62,3 +69,53 @@ If you disable the Security plugin in `opensearch.yml` (or delete the plugin ent
 1. In `docker-compose.yml`, change `opensearchproject/opensearch-dashboards:{{site.opensearch_dashboards_version}}` to `opensearch-dashboards-no-security`.
 1. Change `OPENSEARCH_HOSTS` or `opensearch.hosts` to `http://` rather than `https://`.
 1. Enter `docker-compose up`.
+
+### Tarball 
+
+1. Navigate to the `/bin` directory in your OpenSearch Dashboards installation folder and stop the running OpenSearch Dashboards instance by pressing `Ctrl + C`.
+
+1. Run the following command to uninstall the Security plugin:
+
+   ```bash
+   ./bin/opensearch-dashboards-plugin remove securityDashboards
+   ```
+
+1. Remove all Security plugin configuration settings from the `opensearch_dashboards.yml` file or use the following example file: 
+
+   ```yml
+   ---
+   server.name: opensearch-dashboards
+   server.host: "0.0.0.0"
+   opensearch.hosts: http://localhost:9200
+   ```
+1. Start OpenSearch Dashboards.
+   ```bash
+   ./bin/opensearch-dashboards
+   ```
+   
+### RPM and Debian 
+
+1. Stop the running instance of OpenSearch Dashboards by using the following command: 
+
+   ```bash
+   sudo systemctl stop opensearch-dashboards
+   ```
+
+1. Navigate to the OpenSearch Dashboards folder `/usr/share/opensearch-dashboards` and run the following command to uninstall the Security plugin:
+
+   ```bash
+   ./bin/opensearch-dashboards-plugin remove securityDashboards
+   ```
+
+1. Remove all Security plugin configuration settings from the `opensearch_dashboards.yml` file or place the example file in the `/etc/opensearch_dashboards` folder:
+
+   ```yml
+   ---
+   server.name: opensearch-dashboards
+   server.host: "0.0.0.0"
+   opensearch.hosts: http://localhost:9200
+   ```
+1. Start OpenSearch Dashboards:
+   ```bash
+   sudo systemctl start opensearch-dashboards
+   ```